Criminal investigations into national security leaks tend to be long, complicated and delicate affairs. Sources generally cover their tracks, especially in an era when even the most innocuous computer activity leaves an electronic trail. Leaks are common, but prosecutions aren’t.
Edward Snowden took extraordinary precautions when he leaked troves of classified information on surveillance activity by the National Security Agency to journalists and was charged only after he publicly revealed himself to be the source. Thomas Drake, a former NSA executive, wasn’t indicted for several years after he passed on details about fraud and waste at the agency to the Baltimore Sun. Originally accused of felony espionage, Drake pleaded guilty to a misdemeanor of exceeding authorized use of a computer.
In the case of Reality Leigh Winner, a government contractor accused of sending a top-secret document to a news outlet, federal authorities brought charges less than a week after being tipped off.
Winner, 25, was charged Monday with gathering, transmitting or losing defense information, as The Washington Post reported. Court documents did not identify the document that was leaked or the news outlet that received it, but the criminal complaint against Winner was unveiled shortly after the national security site the Intercept published a story containing an NSA report on Russian efforts to interfere with the 2016 election.
The Post has reported that the charges are related to the Intercept’s story, which describes how Russian military intelligence used hacking techniques against a U.S. voting software supplier and more than 100 local election officials in the days before voters went to the polls. The Intercept called the classified document the “most detailed U.S. government account of Russian interference in the election that has yet come to light,” saying it indicated that Russian hacking may have gone deeper than previously known.
A search warrant affidavit filed and accessible to the public in federal court in Georgia reveals how it took just a few days for investigators to single out Winner as the alleged source of the leak.
It started on May 30, when the news outlet showed authorities the printed materials and asked them to comment, according to the affidavit.
“The U.S. Government Agency examined the document shared by the News Outlet and determined the pages of the intelligence reporting appeared to be folded and/or creased,” the affidavit reads, “suggesting they had been printed and hand-carried out of a secured space.”
An internal audit showed that six people had printed out the top-secret materials after they were published at the beginning of the month. One of them was Winner, who worked for Pluribus International at a facility in Georgia, the affidavit says.
Investigators said they searched Winner’s work computer and found that she had emailed the news outlet in March from a personal account. In her message, they said, she appeared to ask for transcripts of a podcast. In response, the news outlet “confirmed Winner’s subscription to the service,” according to the affidavit.
The review of Winner’s computer history also showed that on May 9 she searched the agency’s classified system using search terms that led her to the report, the affidavit says. That day, it says, she printed the document.
The agency told the FBI about the leak on June 1. The same day, the affidavit says, an unidentified government contractor contacted the agency to say he had been in touch with a reporter from the news outlet, who had texted pictures of the document to verify their authenticity. The reporter told the contractor that the documents came through the mail and were postmarked “Augusta, Georgia,” according to the affidavit.
“The Contractor informed the Reporter that he thought that the documents were fake,” the affidavit reads. “Nevertheless, the Contractor contacted the U.S. Government Agency on or about June 1, 2017, to inform the U.S. Government Agency of his interaction with the reporter.”
The following day, FBI agents staked out Winner’s one-story red brick house near downtown Augusta, Ga., where they saw her driving a light-colored Nissan Cube, according to the affidavit.
Winner was arrested Saturday. When FBI agents questioned her at her home, she admitted “removing the classified intelligence reporting from her office space, retaining it, and mailing it from Augusta, Georgia, to the news outlet,” court documents read. She remains in jail pending a detention hearing. Her lawyer declined to comment on the charges.
After the charges were announced Monday, some cybersecurity experts remarked on the apparent ease with which investigators were able to trace the leak back to Winner. Some went so far as to say the Intercept had “outed” her by posting copies of the document online. The Intercept said the materials were submitted anonymously.
According to Rob Graham, who writes for the blog Errata Security, the Intercept’s scanned images of the intelligence report contained tracking dots — small, barely visible yellow dots that show “exactly when and where documents, any document, is printed.” Nearly all modern color printers feature such tracking markers, which are used to identify a printer’s serial number and the date and time a page was printed.
“Because the NSA logs all printing jobs on its printers, it can use this to match up precisely who printed the document,” Graham wrote Monday.
Graham’s post gave a step-by-step demonstration of how investigators could have easily done just that. Using a tracking dot decoding tool from the Electronic Frontier Foundation, he said he determined that he document “was from a printer with model number 54, serial number 29535218” and was printed on May 9, 2017, at 6:20 a.m.
“The NSA almost certainly has a record of who used the printer at that time,” Graham wrote.
Others picked up on the same point.
“Just a reminder, colour printers spy on you,” tweeted data analyst Tim Bennett. “This one embedded the exact time a U.S. government employee printed a subsequently leaked doc.”
More from Morning Mix